iCompaas Support

Profile Applicability:

• Level 1
  

Description:

Ensure that the Kubernetes API server is configured to use only strong cryptographic ciphers for TLS communication. Strong ciphers help ensure that the encrypted communication between the API server and clients (e.g., kubectl, kubelet, etc.) is secure and resistant to attacks such as eavesdropping, man-in-the-middle, or downgrade attacks.

Rationale:

Using weak or outdated cryptographic ciphers can expose the Kubernetes cluster to security vulnerabilities, making it easier for attackers to decrypt or manipulate data in transit. Ensuring that only strong ciphers are used helps protect sensitive information and maintain the integrity and confidentiality of communications within the Kubernetes environment.

Impact:

Pros:

• Enhances security by ensuring that only strong, modern cryptographic ciphers are used for encrypted communications.
  

• Helps prevent downgrade or cryptographic attacks by disabling weak ciphers.
  

• Contributes to overall compliance with security standards like NIST, PCI-DSS, and others.
  

Cons:

• Misconfiguring cipher settings could cause communication issues between the API server and clients, especially if legacy clients or systems are used that do not support the new ciphers.
  

• Requires careful management and understanding of the available ciphers and protocols.
  

Default Value:

By default, Kubernetes may use a mix of strong and weak ciphers. Manual configuration is required to specify which ciphers are allowed and ensure only strong ones are used.

Pre-Requisites:

• Access to the Kubernetes API server configuration.
  

• Understanding of strong cryptographic ciphers (e.g., TLS 1.2, 1.3, AES, etc.).
  

• Sufficient privileges (root or administrator access) to modify the API server configuration.
  

• A Kubernetes environment where secure communication is a priority.
  

Test Plan:

Using AWS Console:

1. Sign in to the AWS Management Console.
   

2. Open the Amazon Elastic Kubernetes Service (EKS) console.
   

3. Navigate to the "Clusters" section and locate your cluster.
   

4. Review the API server's TLS configuration settings to ensure that it uses strong cryptographic ciphers.
   

5. Confirm that weak ciphers such as RC4 or 3DES are not listed as supported.
   

Using AWS CLI:

Retrieve the configuration for the Kubernetes API server:

kubectl get deployment -n kube-system kube-apiserver -o yaml

Check the --tls-cipher-suites argument in the API server arguments section:

--tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,...

2. Ensure that only strong ciphers (e.g., TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) are listed, and no weak ciphers are included.
   

Implementation Plan:

Using AWS Console:

1. Sign in to the AWS Management Console.
   

2. Open the EKS service and navigate to your cluster.
   

3. Review the cluster's configuration for the --tls-cipher-suites argument in the API server settings.
   

4. If the argument is missing or misconfigured, update the API server configuration to only include strong ciphers: 

5. Save and apply the changes to the Kubernetes API server configuration
   
   

Using AWS CLI:

Modify the API server deployment by adding or updating the --tls-cipher-suites argument:

kubectl edit deployment -n kube-system kube-apiserver

1. In the deployment YAML, locate the command section under the spec for the kube-apiserver container.
   

Add or update the following line to include only strong ciphers:

--tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

3. Save and exit the editor to apply the changes.
   

Backout Plan:

Using AWS Console:

1. Sign in to the AWS Console.
   

2. Open the EKS service and navigate to your cluster.
   

3. Locate the API server configuration.
   

4. If necessary, revert the change by restoring the previous (weaker) cipher suites or removing the change.
   

5. Save and apply the changes to the Kubernetes API server configuration.
   

Using AWS CLI:

To revert the change, edit the API server deployment to restore weaker ciphers if needed:

kubectl edit deployment -n kube-system kube-apiserver

1. Update the deployment YAML to include the previous (less secure) ciphers.
   

2. Save and exit the editor to apply the changes.
   

References:

• Kubernetes API Server TLS Configuration
  

• TLS Cipher Suites Reference